OPC UA Local Discovery


Discovery servers allow OPC UA clients to obtain details about one or more OPC UA servers, from a single point.

There are two types of OPC UA discovery servers:

  1. Local Discovery Servers (LDS)
  2. Global Discovery Servers (GDS)

This article will show how to register an OPC UA server with an LDS, and how an OPC UA client can use that LDS to connect to the OPC UA server.


As the name suggests, a Local Discovery Server (LDS) can be run on the same device as one or more OPC UA servers. For example, it is possible to install one or more OPC UA servers on a PLCnext Control device, alongside the OPC UA server that is included with the PLCnext Runtime. If an LDS is also installed on that PLCnext Control device, then all the OPC UA servers on that device can register with the LDS. Then, a remote OPC UA client can simply query the LDS for the details of all OPC UA servers running on that PLCnext Control device, and use those details to connect directly to one or more of those OPC UA servers.

Somewhat confusingly, it is also possible for an OPC UA server to register with an LDS that is running on a remote machine. In this way, a single LDS can be used by an OPC UA client to discover all the OPC UA servers running on an entire network of devices.

There is a good introduction to OPC UA discovery servers in this article from Unified Automation:



Before following the steps in this article, you should understand:


For this example, the network setup is as follows:

OPC UA Server: AXC F 2152 FW 2020.6.1
IP address:
DNS name: axc-f-2152-1

Local Discovery Server: Windows 10 PC
IP address:
DNS name: mypc.mycompany.com

OPC UA Client: Debian 10 PC
IP address:

These IP addresses and DNS names will be used throughout this article, but of course you should modify these for your own application.

Set up DNS names

If your network does not include a DNS server, edit the hosts file on each device.

The hosts file is located in the following directory:

Add the following new DNS entries (substituting the IP addresses and DNS names for your application):

On the PLC, add the LDS: mypc.mycompany.com

On the LDS machine, add the PLC: axc-f-2152-1

On the OPC UA Client machine, add both the LDS and the PLC: mypc.mycompany.com axc-f-2152-1

Check that all entries are correct by pinging the DNS names (not the IP addresses) that you have set up on each device.

Install the Local Discovery Server

The OPC Foundation provides a Local Discovery Server in the form of a Windows based executable. This can be downloaded for free (after registration) from this page:


Download and install this LDS on the Windows machine.

Install the OPC UA client

This example uses UaExpert from Unified Automation:


Download and install UaExpert on the OPC UA Client machine.

Locate certificates

The various OPC UA components - Server, Client and LDS - need to trust each other in order to ensure secure communications. Trust can be achieved by exchanging public certificates - that is, by putting each component's public certificate in the "trust store" for component(s) that need to trust it.

You can find the public certificate for each component as follows:

OPC UA Server

The device certificate can be found in the "OPC UA-self-signed" Identity store, by default. This will be different if you are using your own certificate.

The OPC UA server certificate can be downloaded from the Web Based Management page of the PLC. The certificate must then be converted from PEM format to DER format in order to be used by the other components. There are a large number of free tools that can be used for this conversion, including the openssl linux command-line tool. An example of the bash command that you might use is:

openssl x509 -outform der -in OPC\ UA-self-signed_certificate.crt -out uaserver.der

LDS Server

By default, the certificate for the LDS is located here:

C:\ProgramData\OPC Foundation\UA\pki\own\certs\ualdscert.der

OPC UA Client

Copy certificates to Trust Stores

Copy each certificate (in .der format) to the trust stores for the other two components.

The trust store for each component can be located as follows:

OPC UA Server (PLC)

The trust store is the folder /opt/plcnext/Security/TrustStores/Empty/trusted


The trust store is the folder C:\ProgramData\OPC Foundation\UA\pki\trusted\certs

OPC UA Client (UaExpert)

Check all firewalls

At minimum, check that the firewall on the LDS server allows traffic on port 4840.

Configure the OPC UA Server in PLCnext Engineer

In PLCnext Engineer, in the OPC UA configuration window:

Write the PLCnext Engineer project to the PLC.

The PLC will now automatically attempt to register the OPC UA server with the LDS.

Discover and connect to the OPC UA server

The OPC UA server should appear in the Local branch of the tree. You can now use these details to connect to the OPC UA server in the usual way.



Obviously there is not much benefit in using an LDS when there is only one OPC UA server on a network. But for networks that include large numbers of OPC UA servers, an LDS provides a convenient way to browse and connect to those servers.